Patrick,
I have not done all the research I really need to do for a better approach
yet, this is what I have so far. It seems to do the trick for the most part
of what I need - Mid Tier only.
This will work if all your users are authenticated.
You need to allow Guest Users.
Get the KM-000000010678 RemoteUser.jsp from the Remedy Support Site. Follow
the directions for permissions, etc. Name it something like:
RequesterLogin.jsp.
You will have a link on your Intranet to the RequesterLogin.jsp file that
will automatically log in the user based on their authenticated windows
login. (Note that anyone that has a password in the User table, will need to
use the normal login screen.)
You create functionality that verifies the windows login again. (This will
prevent mistyped or invalid logins of people that accidentally get to the
normal login screen or know how to access via URL.)
Create another jsp, name it something like GetLogin.jsp. Here is an example:
function rtn_RemoteUser() {
<%
String ruser = request.getRemoteUser();
String realname = "";
/** Loop to remove [Domain.com\] of the ruser so that we are left with
only the NT domain account name **/
int startpoint = ruser.indexOf("\\") + 1;
int endpoint = ruser.length();
for(int x = startpoint; x < endpoint; x++) {
realname += ruser.charAt(x);
}
%>
return("<%=realname%>");
}
In the form that Requesters access upon login, place the following in the
heading:
<SCRIPT src="/arsys/shared/GetLogin.jsp" language="JavaScript" ></SCRIPT>
Then create an active link that will do a Run Process to set a field:
javascript:window.F(600000005).DoSet(rtn_RemoteUser()); (I got this part
from a post to the list with the Subject of "passing ip config information"
- I just love this list!)
You will need to create other Active Links as necessary to allow Admin
testing, etc. Verify the basic rules of login, etc. If these are not met or
if $USER$ does not equal the value your Active Link returns, limit the use
to view only of specific items, or bounce them out, etc.
Hope this helps!
Carolyn
-----Original Message-----
From: patrick zandi [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 11, 2006 8:11
To: [email protected]
Subject: Re: Authenticate an ARS user using a certificate stored on a
smar t card
So, how is your approach to this .. Carolyn ?
you can send me offlist..
[EMAIL PROTECTED]
On 10/11/06, Wixson Carolyn L PSNS <[EMAIL PROTECTED]> wrote:
> This sounds very interesting.
>
> I am glad that there are so many people interested in finding a good fix
for
> the PKI / Smartcard authentication. One thing that I would like to stay
away
> from is having all the "Requesters" need to have a record in the user
table.
> (We have around 7000 people that just need Requester access.)
>
> Carolyn
>
>
> -----Original Message-----
> From: Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552
> [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, October 10, 2006 10:07
> To: [email protected]
> Subject: Re: Authenticate an ARS user using a certificate stored on a
> smar t card
>
>
> The redirect is handle by the 401 Errors. If you are not in the group
> hence 401 on the website. Once redirected you must have CAC and a
> reason to register. Registration info and harvested data is used to
> create the AD account. What I am looking for is a more direct approach
> within ARS itself.
>
> Thanks,
> Dave
>
>
> -----Original Message-----
> From: Action Request System discussion list(ARSList)
> [mailto:[EMAIL PROTECTED] On Behalf Of patrick zandi
> Sent: Tuesday, October 10, 2006 10:34
> To: [email protected]
> Subject: Re: Authenticate an ARS user using a certificate stored on a
> smar t card
>
> This is interesting.. sounds a little like the AF Portal..
> The problem with AF Portal is the Embedded password into the scripting..
> This is a little on the "2 taco's shy of a combination plate" aspect..
> But it souds like you are not doing that..
> interesting.. is this in JSP ? the redirector and then into remedy..
>
> would like to see that if possible..
>
> MSgt Patrick Zandi, USAF
>
> On 10/10/06, Davis, David CTR NAVSURFWARCENDIV Crane, Code 0552
> <[EMAIL PROTECTED]> wrote:
> > Hello Carolyn,
> >
> > What we have done at our activity is to tie the CAC PKI SmartCard to
> > the Active Directory and assign AD users to a Remedy Group. That
> > group has permissions to the Virtual Website that hosts the Remedy
> > MidTier. Much like your "Trust" comment below. Additionally, we
> > redirect any user that attempts to access Remedy MidTier to a
> > registration page that collects their CAC data to create an AD
> > account. Once their request is approved their AD account is added to
> > the Remedy group. It is not where we want to be but we have our
> > Remedy MidTier and Production servers on separate AD Domains.
> >
> > Thank You for your feedback,
> > Dave Davis
> >
> >
> > -----Original Message-----
> > From: Action Request System discussion list(ARSList)
> > [mailto:[EMAIL PROTECTED] On Behalf Of Wixson Carolyn L PSNS
> > Sent: Friday, October 06, 2006 10:07
> > To: [email protected]
> > Subject: Re: Authenticate an ARS user using a certificate stored on a
> > smar t card
> >
> > Hi!
> >
> > Here is what we plan on doing so far, only on the mid-tier (6.3):
> >
> > All of our users are authenticated, so we provide a link for
> > Requesters to a JSP page that gets the user name and logs them in with
> it.
> >
> > Once they are in, an Active link runs a process that calls another JSP
>
> > page to get the Windows user name again and compares it to the $USER$.
> > (This is to ensure that someone does not work-around the auto-login
> > page.) Both of these JSP pages are based from KM-000000010678 "How can
>
> > I use my NT domain name to log me directly into the Mid-Tier without
> > having to be directed to login.jsp?"
> >
> > There are other Active links that run to ensure that the login meets
> > other criteria as well.
> >
> > This will work if everyone is authenticated, but as you said, it does
> > not check the certificate.
> >
> > On the windows client, it is pretty much available to just Customer
> > Support and they login. If a user does access the windows client,
> > there are some Active Links that limit the use, etc.
> >
> > I am looking at other solutions, but I believe that the above will
> > work for now. We have not moved this to production yet. We have never
> > used the Mid-Tier before, but now that we are going to allow
> > requesters to submit their own tickets, it seems a good way to go.
> >
> > I hope this helps.
> >
> > Carolyn Wixson
> >
> >
> >
> > -----Original Message-----
> > From: Rebecca Hammond [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, October 05, 2006 7:46
> > To: [email protected]
> > Subject: Re: Authenticate an ARS user using a certificate stored on a
> > smart card
> >
> >
> > Nothing, yet. Based on research, seems that it can't be done - you
> > can set up a "trust" (which our security people get indignant at
> > calling it
> > that) - meaning, if you want to "trust" that just because someone got
> > on to a machine with a smart card, you could grab the user name get
> > them into the system that way. But you can't have the AR Server and
> > the client communicate with certificates.
> >
> > However, on the mid-tier, we can use certificates, as we'll do all of
> > the authentication work using SiteMinder...
> >
> > -----Original Message-----
> > From: Action Request System discussion list(ARSList)
> > [mailto:[EMAIL PROTECTED] On Behalf Of Davis, David CTR
> > NAVSURFWARCENDIV Crane, Code 0552
> > Sent: Thursday, October 05, 2006 1:24 PM
> > To: [email protected]
> > Subject: Re: Authenticate an ARS user using a certificate stored on a
> > smart card
> >
> > Rebecca
> >
> > Have you been able to integrated ARS authentication with the PKI
> > SmartCard yet? If so, what tools did you use.
> >
> > Thanks,
> > Dave Davis
> > Software Systems Engineer - SAIC
> >
> >
> > -----Original Message-----
> > From: Action Request System discussion list(ARSList)
> > [mailto:[EMAIL PROTECTED] On Behalf Of Rebecca Hammond
> > Sent: Wednesday, September 13, 2006 13:39
> > To: [email protected]
> > Subject: Re: Authenticate an ARS user using a certificate stored on a
> > smart card
> >
> > Am I the only one who isn't totally confused by the white paper? I'm
> > just not clear on how I'm supposed to write an Authenticator of my
> > own, that handles PKI or SmartCard technology.
> >
> > Is it just because with SSO, it pulls the information from your OS?
> >
> > Does anyone have any samples of what these Authenticators might look
> > like?
> >
> > Thanks in advance!
> >
> > -Rebecca Hammond
> >
> > On Fri, 11 Aug 2006 14:11:45 -0700, Easter, David
> > <[EMAIL PROTECTED]>
> > wrote:
> >
> > >Daniel,
> > >
> > > You may want to take a look at the "Integrating BMC Remedy Action
> > >Request System with Single Sign-On (SSO)" white paper that was
> > >updated for AR System 7.00.00. It also applies to other client-side
> > >login intercept technologies like smart cards or PKI.
> > >
> > >It is available on http://supportweb.remedy.com in the Documents
> > >section.
> > >
> > >David J. Easter
> > >Sr. Product Manager - BMC Software
> > >
> > >-----Original Message-----
> > >From: Action Request System discussion list(ARSList)
> > >[mailto:[EMAIL PROTECTED] On Behalf Of CONDREA, Daniel
> > >Sent: Thursday, August 10, 2006 10:53 PM
> > >To: [email protected]
> > >Subject: Authenticate an ARS user using a certificate stored on a
> > >smart
> >
> > >card
> > >
> > >Hi All,
> > >
> > >Can anybody suggest a way to authenticate an ARS user using a
> > >certificate stored on a smart card?
> > >
> > >The end user can not authenticate with a username and a password.
> > >He/she can only authenticate using the certificate stored in the
> > smartcard.
> > >
> > >Best regards,
> > >Daniel Condrea
> > >
> > >--
> > >
> > >*****DISCLAIMER*****
> > >
> > >The information contained in this communication is confidential and
> > >may
> >
> > >be legally privileged. It is intended solely for the use of the
> > >individual or entity to whom it is addressed and others authorized to
>
> > >receive it. If you are not the intended recipient you are hereby
> > >notified that any disclosure, copying, distribution or taking action
> > >in
> >
> > >reliance of the contents of this information is strictly prohibited
> > >and
> >
> > >may be unlawful. Orange Romania S.A. is neither liable for the
> > >proper, complete transmission of the information contained in this
> > >communication nor any delay in its receipt.
> > >
> > >*****END OF DISCLAIMER*****
> > >
> > >_____________________________________________________________________
> > >__
> > >_
> > >_______
> > >UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
> > >
> > >_____________________________________________________________________
> > >__
> > >____
> > ____
> > >UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
> > >=====================================================================
> > >==
> > >=
> >
> > ______________________________________________________________________
> > __
> > _______
> > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
> >
> > ______________________________________________________________________
> > __
> > ____
> > ___
> > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
> >
> > ______________________________________________________________________
> > __
> > ____
> > ___
> > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
> >
> > ______________________________________________________________________
> > __
> > _______
> > UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
> >
> > ______________________________________________________________________
> > _________ UNSUBSCRIBE or access ARSlist Archives at
> > http://www.wwrug.org
> >
>
>
> --
> Patrick Zandi
>
> ________________________________________________________________________
> _______
> UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
>
>
____________________________________________________________________________
> ___
> UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
>
>
____________________________________________________________________________
___
> UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
>
--
Patrick Zandi
____________________________________________________________________________
___
UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
